Thursday, May 15, 2008

Botnets with SQL Injection tools

Dan Goodin of The Register has a gem of a story about the life of a teenage botmaster and how he got busted by the feds. While this smells of a low hanging fruit conviction, it provides compelling insight into just how little skill a person needs to illegally turn a tidy profit by compromising users machines and committing fraudulent acts. It also begs the question of how much the people with some decent skills are making whom also TRY NOT to get caught.

4 comments:

This is the reason why security needs to be applied throughout the SDLC. SQLi has been solved for years. In my opinion, there is no excuse for having such vulnerabilities in your software. Having such shows that you care little about your user/customer, and even less about their (potentially sensitive) data that you are processing.

@matt, its just the big challenge that all this vulnerable code is already out there in circulation and extremely time consuming and expensive to fix. That is even if the organization cares above the next feature.

As far as i know, this is just a small issue, there is alot more out there, and alot more smart people out there that can do seious damage, if not already doing so. Problem is, they do NOT make mistakes. I'm still wondering when people start catching the big fishes out there... And like you said, sql injection bots are already old news, I wouldn't know what would come next... I'm sure they will always find ways to do so.

Doesn't sound much different than those damn RFI bots that constantly attack everyone's website with the "myweddingphotos" URL, or any other shells. I'm sure the potential for data loss is the same if not greater on those than SQL injections. As far as profits go I would assume that they could be in upwards of $100,000 but that is an estimate based upon the earnings of the less-skilled herders.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!